Digital Signature

- serial signing is where each signature comprises the prveious signatures

- PKCS#7 and CMS

- it is embedded

- signature value may also include additional information such as a signature graphic a time stamp and other data

- files and emails

- child

- parent

- sibling

- other file

- enveloping

- enveloped

- detached

- SOAP (Simple Object Access Protocol) - SOAP messages are ordinary XML documents, uses HTTP for transmission, uses WSS to encypt or sign

- SAML (Security Assertion Markum Language) - for exchanging authentication and authorization assertions, SAML is XML-based where requests and responses usually are singed

- represents content secured with digital signatures or MACs using JSON based data structures

- 3 main pars:

 - Header - parameter descriging the crypto operations and

 - Payload - sequence of octets secured

 - Signature - digital signature or MAC over header and payload

- token to authorize calls to back-end resources

- adding an authentication and identity layer providing information about the end-user

- ES -> a legal non-technica term, includes also non-crypto procedures as scanned handwritten signature

- DS -> Based on crypto algorithms, generates a temperproof representation of the data (integrity), enables proving of data origin (sender/author), 

- data originality

- data integrity

- ESCD qualified signature creation device

- it is has strong legal provative value and it's non-reputable (like handwritten signature)

- sign multiple files with activating the private key only once

- the activation data PIN is cached for specific time / number of signatures

- a digitally signed attestation (Beglaubigung, Bescheinigung) provided by trustworthy service which confirms that certain data have been present at a specific time

- it increases level of probative value (beweiskraft) and non-repudation, also often very helpful to have a timestamp as such

- always the hash --> hash of data, hash of data and timestamp, hash 

- singed hash concatenated with timestamp

- All revocation information, certificate chain and timestamps necessary to validate a
signature will be included in the document or data, even though they normally can be
obtained during signature validation. So even if the certificate issuer were to cease to
exist, it is still possible years later to know that at the third-party confirmed point in time
of signing, the signing certificate itself and the corresponding chain was good.

- At any time in the future it must be possible to validate a signed
document to confirm that the signature was valid at the time it was
signed – a concept known as Long-Term Validation (LTV).

- it needs revocation infromation, certificate chain and timestamp

- Digital signed documents must also be archived for a
long time – even many decades. At any time in the future,
in spite of technological and other advances, it must be
possible to confirm that the signature is still valid and
tamperproof.

Due to the aging process of key material (computing
power) or cryptographic algorithm (findings in
cryptanalysis) an initially secure signature may get weak. -> due to that QES may loose its provative value -> should be resigned

- they provide trust and confidence in electronic transactions and publishes standards for trust services providers, electronic signatures and electronic seals / time-stamps

- Zusammenfassung der Baselines:
- B: SignedInfo, SignatureValue, KeyInfo and SignedProperties
- T: timestamp
- LT: longterm
- LTA: longterm with archive timestamp

- BASELINE-B: (Basic Electronic Signature) the lowest and simplest version just
containing the SignedInfo, SignatureValue, KeyInfo and SignedProperties. This level
combines the old -BES and -EPES levels. This form extends the definition of an
electronic signature to conform to the identified signature policy.

- BASELINE-T: (Signature timestamp) A timestamp regarding the time of signing is
added to protect against repudiation.

- BASELINE-LT: (Long Term level) Certificates and revocation data are embedded to
allow verification in future even if their original source is not available. This level is
equivalent to the old XL level.

- BASELINE-LTA: (Long Term with Archive timestamp) By using periodical timestamping
(e.g. each year) compromising is prevented which could be caused by
weakening previous signatures during a long-time storage period. This level is
equivalent to the old -A level.

- an electronical identity for all swiss citizen

- same legal impl. as a handwritten signature

- same as AdES (advancedelectronic signature) it allows to enhance its legal implication trhough a regulated and qualified electronic signautre (QES)

- secure signature creation device (SSCD)

- to a qualified certificate

- to a natural person

► authorityKeyIdentifier: Identifier of the CSP‘s key,
which signed the certificate.
► keyUsage (Critical): Purpose of the key →
contentCommitment = nonRepudiation

- Einem Audit von SAS (Schweizerische Akkreditierungsstelle

- Nein, erst das qualified certificate (unten rechts) ist mit dem gleichzustellen?

- Nein, dies kann nur an natürlich Personen ausgestellt werden.

- Qualified Certificate

- contentCommitment

- Dies ist ein Standard für die Public Key crypto, welche die Schnittstelle von OS zur Crypto Hardware darstellt, mit welcher man entsprechend keys/certs brauchen, erstellen, löschen, modifizieren kann.

- dasselbe wie oben für Microsoft ;-)

- Bei Local Signing wird ein lokales physisches z.B. Token verwendet, um mittels keys/certs daten zu signieren. Bei Remote Signing übernimmt ein Server das Signieren

- er signiert Dokumente für uns

- hardware security module -> es hält die keys und macht die kryptographischen Operationen

- Ein Dokument und deren signatur.